CN103023704B - Virtual network service equipment access method and system - Google Patents
Virtual network service equipment access method and system Download PDFInfo
- Publication number
- CN103023704B CN103023704B CN201210566912.6A CN201210566912A CN103023704B CN 103023704 B CN103023704 B CN 103023704B CN 201210566912 A CN201210566912 A CN 201210566912A CN 103023704 B CN103023704 B CN 103023704B
- Authority
- CN
- China
- Prior art keywords
- data retransmission
- virtual machine
- server device
- network server
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of virtual network service equipment access method and system, wherein, this virtual network service equipment access side comprises: obtain the port numbers of current virtual machine on virtual switch; Obtain the port numbers at the network server device place be linked on virtual switch; And, search the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write new data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates and writes new data retransmission rule.The present invention is by the process to the data retransmission rule on virtual switch, the network traffics of virtual machine are made to be guided on network server device, be transmitted to target device again via after network server device process, thus provide service for the network flow monitoring of virtual machine.
Description
Technical field
The invention belongs to field of network management, particularly relate to a kind of virtual network service equipment access method and system.
Background technology
As a kind of emerging computation schema, various resource can be consigned to user in the mode of service by network by virtualized means by cloud computing.These services comprise miscellaneous internet, applications, run the platform of these application, and virtual after calculating and storage resources, thus make cloud computing have the feature such as " as required from service ", " wide in range access ", " virtualized resource pool ", " quick resilient infrastructure " and " measurable service ".
Under cloud computing environment, according to the service needed of oneself, user can be generated by cloud management platform and start virtual machine, thus realizes Self-Service as required.Except the business demand of oneself, for the requirement of safety guarantee, the network service that user needs some special toward contact, as: intruding detection system (IDS)/intrusion prevention system (IPS), fire compartment wall, UTM (UTM) system etc., and these network services are normally independent of outside the operation system of user, by network insertion, to the equipment that the network information of turnover user virtual machine is served.They may be virtualized, also may be physico.How these network server devices are effectively linked in the virtualized network environment of user, thus provide service to user, what need is not only the virtual machine generating and start virtual (or physico), also relate to and appropriate configuration is carried out to virtual switch, the service traffics of user are directed on network server device.In traditional network system, this guiding is configured by routers or switch and realizes, and belongs to the category of network security management, is usually different from the setting of user to the virtual machine of oneself.Under cloud environment, cloud management platform only responsible generating virtual machines and inner virtual switch usually, and not responsible virtual switch reasonably to be configured.In today that Network Security Service extensively needs, if data center exists a large amount of virtual machines and safety service system, so manual configuration can consume a large amount of time and resource.
Summary of the invention
The invention provides a kind of virtual network service cut-in method and system, to solve the problem how network traffics of virtual machine be directed on network server device.
The invention provides a kind of virtual network service cut-in method, the method comprises:
Obtain the port numbers of current virtual machine on virtual switch;
Obtain the port numbers at the network server device place be linked on described virtual switch; And
Search the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write new data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates and writes new data retransmission rule.
Preferably, the port numbers of described acquisition current virtual machine on virtual switch, comprising:
Receive the network service incoming order of described current virtual machine, extract the port numbers of described current virtual machine on described virtual switch according to described network service incoming order; And/or
Before described acquisition is linked into the port numbers at the network server device place on described virtual switch, described method also comprises:
Start network server device and this network server device is linked on described virtual switch.
Preferably, the described port numbers according to described network server device place is revised described data retransmission rule and is write new data retransmission rule, comprising:
Copy described data retransmission rule as described new data retransmission rule; Forwarding port numbers in described data retransmission rule is modified as the port numbers at described network server device place; Source port number in described new data retransmission rule be modified as the port numbers at described network server device place and other operation except " forwarding " is deleted, writing described virtual switch; And/or
Described is that described current virtual machine generates and writes new data retransmission rule, comprising:
With the port at described current virtual machine place for source port, with the port at described network server device place for forwarding port, generates a new data retransmission regular and write described virtual switch; And
With the port at described network server device place for source port, address on net for the purpose of the NIC address of described current virtual machine, with the port at described current virtual machine place for forwarding port, generates a new data retransmission regular and write described virtual switch.
Preferably, described in search the data retransmission rule of described current virtual machine on described virtual switch after, also comprise:
Keep the data retransmission rule outside the data retransmission rule of described current virtual machine constant.
Preferably, described virtual switch is the switch supporting OpenFlow.
Present invention also offers a kind of virtual network service connecting system, this system comprises:
Virtual machine port numbers obtains module, for obtaining the port numbers of current virtual machine on virtual switch;
Network server device port numbers obtains module, for obtaining the port numbers at the network server device place be linked on described virtual switch;
Data retransmission rule process module, for searching the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write new data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates and writes new data retransmission rule.
Preferably, described virtual machine port numbers obtains module, specifically for: the network service incoming order receiving described current virtual machine, extracts the port numbers of described current virtual machine on described virtual switch according to described network service incoming order; And/or
Described network server device port numbers obtains module, also for: start network server device and also this network server device be linked into described virtual switch.
Preferably, described data retransmission rule process module comprises:
Forwarding rule searching unit, for searching the data retransmission rule on described virtual switch, copying the data retransmission rule of described virtual machine as new data retransmission rule;
Forward rules modification unit, for the forwarding port numbers in described data retransmission rule being modified as the port numbers at described network server device place; Source port number in described new data retransmission rule be modified as the port numbers at described network server device place and other operation except " forwarding " is deleted, writing described virtual network switch; And
Forward rule generating unit, for the port at described current virtual machine place for source port, with the port at described network server device place for forwarding port, generates a new data retransmission regular and write described virtual switch; And, with the port at described network server device place for source port, address on net for the purpose of the NIC address of described current virtual machine, with the port at described current virtual machine place for forwarding port, generates a new data retransmission regular and write described virtual switch.
Preferably, described data retransmission rule process module, also for: keep the data retransmission rule outside the data retransmission rule of described current virtual machine constant.
Preferably, described virtual switch is the switch supporting OpenFlow.
Above-mentioned virtual network service cut-in method and system, by the process to the data retransmission rule on virtual switch, the network traffics of virtual machine are made to be guided on network server device, be transmitted to target device again via after network server device process, thus provide service for the network flow monitoring of virtual machine.
Accompanying drawing explanation
Fig. 1 is the flow chart of virtual network service cut-in method of the present invention;
Fig. 2 is the flow chart of step S1 in Fig. 1;
Fig. 3 is the first half flow chart of step S3 in Fig. 1;
Fig. 4 is the latter half flow chart of step S3 in Fig. 1;
Fig. 5 is the structural representation of virtual network service connecting system of the present invention;
Fig. 6 is the structural representation of data retransmission rule process module in Fig. 5.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, hereinafter will be described in detail to embodiments of the invention by reference to the accompanying drawings.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.
The present invention is according to the port of virtual machine and network server device, and the data retransmission rule on amendment virtual switch, makes the network data passing in and out virtual machine be automatically directed on relevant network server device, realize the network service to virtual machine.
As shown in Figure 1, be the flow chart of virtual network service cut-in method of the present invention, the method includes the steps of:
Step S1, obtains the port numbers of current virtual machine on virtual switch;
Step S2, obtains the port numbers at the network server device place be linked on described virtual switch;
Step S3, search the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write new data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates and writes new data retransmission rule.
The method also comprises: keep the data retransmission rule outside the data retransmission rule of described current virtual machine constant.
As shown in Figure 2, above-mentioned steps S1 comprises further:
Step S11, receives the network service incoming order of described current virtual machine;
Step S12, extracts the port numbers of described current virtual machine on described virtual switch according to described network service incoming order.
Before above-mentioned steps S2, can also comprise: start network server device and this network server device is linked on described virtual switch.
As shown in Figure 3, the described port numbers according to described network server device place is revised described data retransmission rule and is write new data retransmission rule, comprises further:
Step S31, copies described data retransmission rule as described new data retransmission rule;
Step S32, is modified as the port numbers at described network server device place by the forwarding port numbers in described data retransmission rule;
Step S33, is modified as the port numbers at described network server device place and other operation except " forwarding " is deleted, writing described virtual network switch by the source port number in data retransmission rule new described in step S31.
As shown in Figure 4, described is that described virtual machine generates and writes forwarding rule, comprises further:
Step S34, with the port at described current virtual machine place for source port, with the port at described network server device place for forwarding port, generates a new data retransmission regular and write described virtual switch;
Step S35, with the port at described network server device place for source port, NIC address for the purpose of the NIC address of described current virtual machine, with the port at current virtual machine place for forwarding port, generates a new data retransmission regular and write described virtual switch.
Embodiment
Below by an application example, above-mentioned flow process is described further.
One embodiment of the present of invention are, virtual switch on physical host adopts OpenFlow switch (such as OpenvSwitch), " ofp_flow_mod_command " can be adopted to order realize the amendment of data retransmission rule and write.Can be inquired about to virtual switch by " ofp_flow_stats_request " instruction the reading of the data retransmission rule on virtual switch, and be extracted by the response message " ofp_flow_stats " of OpenFlow switch.
Above-mentioned virtual network service cut-in method, by the process to the data retransmission rule on virtual switch, the network traffics of virtual machine are made to be guided on network server device, be transmitted to target device again via after network server device process, thus provide service for the network flow monitoring of virtual machine.
As shown in Figure 5, the structural representation of virtual network service connecting system of the present invention, this system comprises:
Virtual machine port numbers obtains module 41, for obtaining the port numbers of current virtual machine on virtual switch;
Network server device port numbers obtains module 42, for obtaining the port numbers at the network server device place be linked on described virtual switch;
Data retransmission rule process module 43, for searching the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write new data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates and writes new data retransmission rule.
Wherein, described virtual machine port numbers obtains module, specifically for: the network service incoming order receiving described current virtual machine, extracts the port numbers of described current virtual machine on described virtual switch according to described network service incoming order.
In addition, described network server device port numbers obtains module, also for: start network server device and also this network server device be linked into described virtual switch.
As shown in Figure 6, data retransmission rule process module 43 comprises further with lower unit:
Forward rule searching unit 431, for searching the data retransmission rule on described virtual switch, copy source port numbers or forwarding port numbers are that the data retransmission rule of the port numbers at described virtual machine place is as new data retransmission rule;
Forward rules modification unit 432, for the forwarding port numbers in described data retransmission rule being modified as the port numbers at described network server device place; Source port number in described new data retransmission rule be modified as the port numbers at described network server device place and other operation except " forwarding " is deleted, writing described virtual network switch.
Forward rule generating unit 433, for the port at described current virtual machine place for source port, with the port at described network server device place for forwarding port, generates a new data retransmission regular and write described virtual switch; And, with the port at described network server device place for source port, address on net for the purpose of the NIC address of described current virtual machine, with the port at current virtual machine place for forwarding port, generates a new data retransmission regular and write described virtual switch.
Further, described data retransmission rule process module, also for: keep the data retransmission rule outside the data retransmission rule of described current virtual machine constant.
Preferably, described virtual switch can for supporting the switch of OpenFlow.
Above-mentioned virtual network service connecting system, by the process to virtual switch data retransmission rule, make the network traffics of virtual machine be guided on network server device, be transmitted to target device again via after network server device process, thus provide service for the network flow monitoring of virtual machine.
The all or part of step that one of ordinary skill in the art will appreciate that in said method is carried out instruction related hardware by program and is completed, and said procedure can be stored in computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of above-described embodiment also can use one or more integrated circuit to realize.Correspondingly, each module/unit in above-described embodiment can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
Above embodiment only in order to technical scheme of the present invention and unrestricted to be described, only with reference to preferred embodiment to invention has been detailed description.Those of ordinary skill in the art should be appreciated that and can modify to technical scheme of the present invention or equivalent replacement, and does not depart from the spirit and scope of technical solution of the present invention, all should be encompassed in the middle of right of the present invention.
Claims (10)
1. a virtual network service cut-in method, is characterized in that, the method comprises:
Obtain the port numbers of current virtual machine on virtual switch;
Obtain the port numbers at the network server device place be linked on described virtual switch; And
Search the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write amended data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates according to the port numbers at described network server device place and to write new data retransmission regular.
2. method according to claim 1, is characterized in that:
The port numbers of described acquisition current virtual machine on virtual switch, comprising:
Receive the network service incoming order of described current virtual machine, extract the port numbers of described current virtual machine on described virtual switch according to described network service incoming order; And/or
Before described acquisition is linked into the port numbers at the network server device place on described virtual switch, described method also comprises:
Start network server device and this network server device is linked on described virtual switch.
3. method according to claim 1, is characterized in that:
The described port numbers according to described network server device place is revised described data retransmission rule and is write amended data retransmission rule, comprising:
Copy described data retransmission rule as new data retransmission rule; Forwarding port numbers in described data retransmission rule is modified as the port numbers at described network server device place; Source port number in described new data retransmission rule be modified as the port numbers at described network server device place and other operation except " forwarding " deleted, by the described virtual switch of amended new data retransmission rule write; And/or
The described port numbers according to described network server device place is that described current virtual machine generates and writes new data retransmission rule, comprising:
With the port at described current virtual machine place for source port, with the port at described network server device place for forwarding port, generates a new data retransmission regular and write described virtual switch; And
With the port at described network server device place for source port, NIC address for the purpose of the NIC address of described current virtual machine, with the port at described current virtual machine place for forwarding port, generates a new data retransmission regular and write described virtual switch.
4. the method according to the arbitrary claim of claim 1-3, is characterized in that:
Described search the data retransmission rule of described current virtual machine on described virtual switch after, also comprise:
Keep the data retransmission rule outside the data retransmission rule of described current virtual machine constant.
5. method according to claim 4, is characterized in that:
Described virtual switch is the switch supporting OpenFlow.
6. a virtual network service connecting system, is characterized in that, this system comprises:
Virtual machine port numbers obtains module, for obtaining the port numbers of current virtual machine on virtual switch;
Network server device port numbers obtains module, for obtaining the port numbers at the network server device place be linked on described virtual switch;
Data retransmission rule process module, for searching the data retransmission rule of described current virtual machine on described virtual switch, if find the data retransmission rule of described current virtual machine, then revise described data retransmission rule according to the port numbers at described network server device place and write amended data retransmission rule, if do not find the data retransmission rule of described current virtual machine, be then that described current virtual machine generates according to the port numbers at described network server device place and to write new data retransmission regular.
7. system according to claim 6, is characterized in that:
Described virtual machine port numbers obtains module, specifically for: the network service incoming order receiving described current virtual machine, extracts the port numbers of described current virtual machine on described virtual switch according to described network service incoming order; And/or
Described network server device port numbers obtains module, also for: start network server device and also this network server device be linked into described virtual switch.
8. system according to claim 6, is characterized in that, described data retransmission rule process module comprises:
Forwarding rule searching unit, for searching the data retransmission rule on described virtual switch, copying the data retransmission rule of described virtual machine as new data retransmission rule;
Forward rules modification unit, for the forwarding port numbers in described data retransmission rule being modified as the port numbers at described network server device place; Source port number in described new data retransmission rule be modified as the port numbers at described network server device place and other operation except " forwarding " is deleted, writing described virtual network switch; And
Forward rule generating unit, for the port at described current virtual machine place for source port, with the port at described network server device place for forwarding port, generates a new data retransmission regular and write described virtual switch; And, with the port at described network server device place for source port, NIC address for the purpose of the NIC address of described current virtual machine, with the port at described current virtual machine place for forwarding port, generates a new data retransmission regular and write described virtual switch.
9. the system according to the arbitrary claim of claim 6-8, is characterized in that:
Described data retransmission rule process module, also for: keep the data retransmission rule outside the data retransmission rule of described current virtual machine constant.
10. system according to claim 9, is characterized in that:
Described virtual switch is the switch supporting OpenFlow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210566912.6A CN103023704B (en) | 2012-12-24 | 2012-12-24 | Virtual network service equipment access method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210566912.6A CN103023704B (en) | 2012-12-24 | 2012-12-24 | Virtual network service equipment access method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103023704A CN103023704A (en) | 2013-04-03 |
| CN103023704B true CN103023704B (en) | 2016-04-06 |
Family
ID=47971858
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210566912.6A Expired - Fee Related CN103023704B (en) | 2012-12-24 | 2012-12-24 | Virtual network service equipment access method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103023704B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683476A (en) * | 2015-03-17 | 2015-06-03 | 成都艺辰德迅科技有限公司 | Stored data migration method |
| CN107682300B (en) * | 2016-08-02 | 2020-02-14 | 华为技术有限公司 | Method and apparatus for determining a security group rule chain |
| CN108111461B (en) * | 2016-11-24 | 2020-11-20 | 中移(苏州)软件技术有限公司 | Method, device, gateway and system for realizing virtual machine access management network |
| CN107360058A (en) * | 2017-07-12 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and device for realizing traffic monitoring |
| CN115118654B (en) * | 2022-06-17 | 2023-08-18 | 北京百度网讯科技有限公司 | Data forwarding method, system, device and program product under virtual network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309180A (en) * | 2008-06-21 | 2008-11-19 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
| CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
| CN102523209A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Dynamic adjustment method and device of safety inspection virtual machines |
| CN102549977A (en) * | 2009-09-24 | 2012-07-04 | 日本电气株式会社 | Identification system for inter-virtual-server communication and identification method for inter-virtual-server communication |
-
2012
- 2012-12-24 CN CN201210566912.6A patent/CN103023704B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309180A (en) * | 2008-06-21 | 2008-11-19 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
| CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
| CN102549977A (en) * | 2009-09-24 | 2012-07-04 | 日本电气株式会社 | Identification system for inter-virtual-server communication and identification method for inter-virtual-server communication |
| CN102523209A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Dynamic adjustment method and device of safety inspection virtual machines |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103023704A (en) | 2013-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11586673B2 (en) | Data writing and reading method and apparatus, and cloud storage system | |
| CN108289034B (en) | A kind of fault discovery method and apparatus | |
| CN109981493B (en) | Method and device for configuring virtual machine network | |
| CN104020961B (en) | Distributed data storage method, apparatus and system | |
| CN103023704B (en) | Virtual network service equipment access method and system | |
| CN103095530B (en) | The monitoring of a kind of sensitive information based on preposition gateway and leakage prevention method and system | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| CN104281468A (en) | Method and system for distributed virtual machine image management | |
| CN113452780B (en) | Access request processing method, device, equipment and medium for client | |
| CN102880557A (en) | Multistage distribution type high-speed cache of heterogeneous data source | |
| CN103685608A (en) | Method and device for automatically configuring IP (Internet Protocol) address of security virtual machine | |
| CN108243079A (en) | A kind of method and apparatus that network access is carried out based on VPC | |
| CN106817388A (en) | The system that virtual machine, host obtain the method, device and access data of data | |
| CN107241312B (en) | A kind of right management method and device | |
| CN109218458B (en) | Writing method and device of MAC address and computer readable storage medium | |
| CN108459910A (en) | A kind of method and apparatus for deleting resource | |
| CN105812432A (en) | Cloud file processing method and device | |
| CN104956346A (en) | Controlling error propagation due to fault in computing node of a distributed computing system | |
| CN106230616B (en) | A kind of service configuration information processing method and system | |
| CN105144073A (en) | Removable storage device identity and configuration information | |
| CN108255434A (en) | Label management method, managing device and computer readable storage medium | |
| CN104407808A (en) | Method and device for writing in data | |
| CN110321199B (en) | Method and device for notifying common data change, electronic equipment and medium | |
| CN107357634A (en) | A kind of parameter configuration management method and device | |
| CN106790521B (en) | System and method for distributed networking by using node equipment based on FTP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160406 Termination date: 20211224 |